Slashdot Mirror

← Back to Stories (view on slashdot.org)

Captain Crunch's New Boxes, Part II

Posted by timothy on from the whistle-whistle dept.

micsaund writes: "It looks like the infamous Captain Crunch has been toiling away for 3 years on a firewall now known as the Crunchbox. It runs OpenBSD and is administered via a web-based interface. Steve Wozniak is quoted as saying it's 'next to un-crackable.' Check it out at ShopIP. The Register also has an article on it. As an aside, since the Linux Router Project (LRP) appears to have been sold-out and GnatBox is a tad expensive, is anyone aware of some kind of 'packaged' firewall with a slick interface available for free?" We mentioned Draper's venture into firewalls last year, but there's been some progress since then.

28 of 414 comments (clear)

  1. Just make sure by javaaddikt · · Score: 5, Funny

    that you don't have a modem in your crunchbox
    :)

  2. Smoothwall by ViceClown · · Score: 4, Informative

    Installs in a snap, free download, stupendous interface, good support. I've used it for months now without a hickup. Just my $0.02

    Smoothwall

    Cheers :-)

    --
    Have a Happy.
    1. Re:Smoothwall by GSloop · · Score: 5, Informative

      I've never used smoothwall, and I haven't gotten any support, so I am giving "hearsay" here...

      But, from what I gather, and I have done some searching, Dick (aka Richard Morrell) seems to have a few screws loose. From all accounts, he is cranky and sometimes more than downright nasty.

      His product is FREE though, you should just don your asbestos suit should you go looking for support. (View a few IRC logs etc. to get a feel for how "Dick" seems to view newbies and/or non-paying customers.)

      Frankly, I'd rather do some extra work myself, than deal with people who are unsociable.

      All standard disclaimers, YMMV etc.

      Cheers!

    2. Re:Smoothwall by Anonymous Coward · · Score: 5, Informative

      Well, I'm glad that you had nice experiences, but the general consensus seems to be that good support is a rare thing from Smoothwall (hence IPCop.org, I guess). They certainly carve bold new diretions for customers service! They'll swear at you, not answer emails, and not rarely answer specific questions (instead, cut-n-pastes are regular).

      I'm not willing to post my emails between the developers, I, and other people in the company. I really don't want to be hassled by Smoothwall anymore. The funny thing is that I'm quite sure I'm unidentifable in the masses of people who might say such a thing ;)

      (and this comes from a paying customer of Smoothwall Corp. - not a freeloader).

      I *strongly* recommend any other distro. I didn't think customer service mattered much until I found a bug in their product and wanted them to fix it.

    3. Re:Smoothwall by TellarHK · · Score: 4, Informative

      Yep, Morrell is definitely someone to watch out for. He threatens, harasses, and insults practically anyone that doesn't tell him Smoothwall's the greatest thing since using the GPL as a way to fork off to a commercial product after getting overenthusiastic community ego boosting.

      He's gone so far as to make legal quasi-threats against me and other critics of his treatment of Smoothwall users. He's driven away enough developers that the IPCop project was formed and seems to have done quite a good job at proving themselves to have intentions of being more than just another forked project. IPCop has performed just wonderfully for me since my abandonment of Smoothwall.

      For the morbidly curious, I have an archive of my emailing back and forth with Richard on this webpage.

      --
      My own pointless vanity vintage computing page
    4. Re:Smoothwall by Waffle+Iron · · Score: 5, Funny
      His product is FREE though, you should just don your asbestos suit should you go looking for support. (View a few IRC logs etc. to get a feel for how "Dick" seems to view newbies and/or non-paying customers.)

      I think this guy has finally found a way to make money on free software: Forget selling licenses; forget selling service and support. Just sell protection from ridicule and verbal abuse.

      Preserving some semblance of self-esteem has clear value in the marketplace. I think this business plan will be successful.

    5. Re:Smoothwall by nomadic · · Score: 4, Funny

      But, from what I gather, and I have done some searching, Dick (aka Richard Morrell) seems to have a few screws loose. From all accounts, he is cranky and sometimes more than downright nasty.

      An ill-mannered, non-social programmer? Impossible!

  3. LRP "sold out" ? by maggard · · Score: 4, Informative
    How so? They took offerings from VA Linux?

    The mailing list is active, there are any number of distributions though few on the latest kernels, all appears kosher if not frantically active.

    Was there any reason for this possibly very damaging statement?

    --
    I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
    1. Re:LRP "sold out" ? by slamb · · Score: 5, Informative
      The mailing list is active, there are any number of distributions though few on the latest kernels, all appears kosher if not frantically active.

      Was there any reason for this possibly very damaging statement?

      Yeah, because at the linked site:

      • There have been no releases since 0.9.8 on 12 Sep 2000 (a year and a half).
      • The only news since then has been three seperate sponsers (Cyclades, VA, and Sangoma). It's not clear what the money is being used for.
      • The mailing list archives, give 404s on the -devel list. Only the users list seems to be active.
      • The "unstable" directory on the site contains only (besides the 0.9.8 release) a few kernel patches made to 2.2.19 in July of 2001.

      On the other hand, this site seems quite active. I'm not sure what their relationship is.

    2. Re:LRP "sold out" ? by zsazsa · · Score: 5, Informative

      linuxrouter.org is no longer the center of "Linux-firewall-on-a-floppy" development. It's been seldom updated for several years now; the only important thing on it being the mailing list. The site even apologizes for its own lack of maintenance: Unfortunately most all of the LRP docs at this site are painfully out of date. The LRP still is the basis of most Linux floppy distros, albiet heavily modified.

      Instead of linuxrouter.org, the real hotbed of development these days is the LEAF site, LEAF standing for Linux Embedded Appliance Firewall. The steinkuehler.net site you mentioned is a part of LEAF, hosting the Eiger/Dachstein distributions. Unfortunately the linuxrouter.org project doesn't point the way to LEAF. I only found out about it by following the mailing lists.

      Ian

    3. Re:LRP "sold out" ? by GlobalEcho · · Score: 5, Informative

      I wrote what was once widely appreciated as the most useful howto for using LRP. It is now woefully out of date, and I recommend Eigerstein or Dachstein, which are so well-designed that they don't need that kind of detailed documentation.

      I can shed a little more light on the middle-recent history of LRP and LEAF. Two years ago, LRP was indeed the center of all linux floppy firewall/router activity. However, people were starting to innovate, and Dave Cinege (who owns the domain name) never seemed to find the time to update his own work or incorporate that of others. It was a running joke on the mailing list. It would not have been much work for Dave to at least put up links to the sites documenting and extending LRP, but it never seemed to happen.

      For a while, linuxrouter.sourceforge.net (now changed to leaf.sourceforge.net) was a repository of all the extra work. Before that everything had been on a crazy collection of obscure personal websites (like mine).

      Dave promised major updates to LRP, and then gave up on LRP and decided a completely new, cool project was necessary. This was around the time Tim McVeigh was executed, which Dave considered the murder of a hero or prisoner of war. Without getting into politics or morality, I merely note that it was the last straw for many people, who made a complete split and formed LEAF. I presume it was the rancor behind this split that keeps Dave from mentioning LEAF on his website.

      Unfortunately, if you type "linux router" into Google, LEAF shows up way down the list -- maybe 20th.

      IMHO, the people working on LEAF are dedicated and impressive. It remains far and away the best floppy-based router/firewall available. It is certainly the most actively maintained.

  4. FreeSCO by groove10 · · Score: 4, Informative

    That's what I use on my little NAT/Gateway thing at home. Works like a champ. Web-based config + many other add-ons for this floppy distro. More put together than LRP IMHO. Check it out at: freeSCO.org. The dicumentation is pretty good, although it may not be as secure as other distros.

    --
    MMORPG fan-boy? Prove your worth
  5. People shouldn't say these things! by jaavaaguru · · Score: 4, Funny

    next to un-crackable

    What does Steve Wozniak have against Captain Crunch? we all know what happened to Oracle when they made similar claims.

    --
    Follow me
  6. Coyote Linux by servoled · · Score: 4, Informative

    Note sure if this qualifies, but it is a neat little floppy disk distribution that does nat. Check it out at http://www.coyotelinux.com/.

    --
    "I have a porkchop, you have a porkchop. I have a veal, you have a veal".
    1. Re:Coyote Linux by wholesomegrits · · Score: 5, Insightful

      Maybe a few comments from De Raadt, the OpenBSD guy, regarding the intelligence of using a floppy disk for your firewall are in order. The short and quick: it's a stupid idea. This thread seems to be dominated by the "let's entrust my entire network's security to a $.25 (or cheaper) part that has the highest failure rate of any storage medium ever. This isn't directed at you, servoled, but just a general note for the thread.

      --
      No sig is worth reading.
  7. Clarkconnect by Anonymous Coward · · Score: 5, Informative

    I use clark connect for my firewall. Its linux based wit a web admin, it displays usage reports, bandwidth graphs. Does nslookups and whois on people who try to hack you. Even displays "12.12.12.12 tried to use Code Red 2.0"
    Also includes CUPS for printing.Samba for file sharing. OpenSSH and the web based admin uses ModSSL so its all encrypted.

    Its frickin awesome! Is built from Redhat 7.2 and accepts all Redhat 7.2 RPMS.

  8. Gnat box has a Free 5-user version by young-earth · · Score: 5, Informative

    works great, easy to set up, floppy only, works on >= 486 machines. I've never seen it go below 98% idle on a 100MHz P5 with 5 hard-working machines filling a 768Kbps DSL line. You can pay $50 and get a DMZ added on to the free version, same price for a VPN license.

    Download it from here. This is a BSD based firewall, but no shell, nothing for a cracker to get onto it. Uses SSL web access (new in later versions) or a Winblows client for configuration.

    Oh and one point that is heavily stressed in their marketing material - it's ICSA certified.

    There is a small version for ~$750 street price that gives 25-user version with DMZ, no moving parts, runs off 12VDC.

    --
    Got Wisdom?
  9. Astaro Security Linux by lethalp1mpslapper · · Score: 4, Informative

    This firewall is free for non-commercial use and has a web interface to boot. I've used this for sometime now. It supports VPN, incoming/outgoing email virus scan, IP accounting and routing. It will even update itself on the fly if you want. Here is the link: Astaro Security Linux

    P.S. - I don not work for these guys, I am just impressed by what they offer.

  10. Is a remotely updatable firewall a good thing? by gwernol · · Score: 4, Insightful

    From the page at iShop.com:

    The latest attack signature libraries can be automatically updated from a centralized source of the computer security community.

    I am certainly not a security expert, but this seems like a potential weak point. If they can automatically change the rules the firewall uses, then in theory someone else could as well, if they cracked the update protocol.

    Does anyone know how they protect these updates so that they can't be intercepted and broken?

    --
    Sailing over the event horizon
  11. FWTK: Not a fancy interface... by tkrotchko · · Score: 4, Interesting

    ...but a solid firewall.

    http://www.fwtk.org/main.html

    There's still a lot of support and I believe an active mailing list.

    I put one together 5 years ago, and the company I work for still uses it for their mailing host.

    Interface? There is none. But it works pretty damned good if you're willing to spend 1 day understanding how it works.

    Not a bad deal.

    --
    You were mistaken. Which is odd, since memory shouldn't be a problem for you
  12. A few firewall linux based distros by Dacmot · · Score: 4, Informative
    1. Freesco which I personnally use on a 486/dx2 with 8mb of ram. It has many functionalities like remote access, dhcp, dns, print server, firewalling, masquerading, bridging, support for many ethernet cards and best of all fits on a floppy (no HD required, but possible to do a HD install) Works like a charm and very easy to setup... almost plug and play (although not like windoze's plug and pray)
    2. Coyote Linux which seems to offer a few more features than freesco, but requires 12mb of ram. Again, fits on a floppy.
    3. SmoothWall which seems to be more of a feature complete firewalling solution includes web-based admin, proxy server and much more. It's larger (30MB or so) but seems fairly easy to use.
  13. Saw this and thought... by gmhowell · · Score: 4, Funny

    I was grocery shopping today. I noticed that the elephant is no longer on the peanut butter cap'n crunch. And that 'thing' is no longer on the crunch berry box. I figured the first link in this story would go here. Nope. Just some boring hacker crap.

    (and for those keeping score, I am in fact blocking timothy's articles from the front page. I came here after seeing the headline on another site.)

    --
    Jesus was all right but his disciples were thick and ordinary. -John Lennon
  14. LRP is now LEAF... by phraktyl · · Score: 5, Insightful

    LRP has been superceded by the LEAF project at http://leaf.sourceforge.net. I'm running a current LEAF distro (Oxygen) and it's rock solid. There are quite a few different flavors, depending on your needs and experience level.

    From the LEAF site:

    An easy to use embedded Linux network appliance for use in small office, home office, and home automation environments. Although it can be used in other ways, it's primarily used as a gateway/router/firewall for Internet leaf sites.
    Last Oxygen release was about 2 weeks ago.
    --
    Karma: Marginal (mostly due to the border around the website)
  15. Re:Correct Smoothwall Archive URL by Watts+Martin · · Score: 4, Insightful

    You know, after reading the entire thing, I think both you and Dick should be taken out and spanked. :)

    It's obvious Dick is genetically incapable of responding civilly, and he should be physically prevented from responding to users. There are certain people who seem to revel in the Bastard Operator From Hell stereotype. One suspects he started his own company because if he tried to work for anyone else, they'd fire him, ideally with a cannon.

    Having said that, though, it's also clear that you simply weren't willing to take "it's a firewall, and isn't competing with a Linux distribution" for an answer. Dustmite didn't start out irritable--he got that way after explaining the rationale. Then doing it again. Then repeating himself. Over. And over. And over.

    Quite frankly, any engineer would have started sounding irritable by the end of that IRC log. He could have handled it better, but honestly, you didn't come across like you were going to accept any "closure" other than a Smoothwall employee saying, "Yes, it's a great idea to put GCC and a web server on our firewall, and we'll get right on it."

    It's interesting to hear these things about Smoothwall, though, since I work for a company that makes a box that competes with them. (Incidentally, our box does have a web server on its firewall if you want it. Dustmite is right: it's bad security to do that.)

  16. Re:Smoothwall Attitude Problems (was: Smoothwall) by dpotter · · Score: 5, Interesting
    Just took a quick look at the Smoothwall FAQ and I have to say that you appear to be correct about Mr. Morrell's attitude:

    The FAQ devotes 32 of 88 pages to how to correctly interact with the community, with such topics as "On Not Reacting Like a Loser" and "RTFM and STFW: How to tell you've seriously screwed up."

    Furthermore, the remaining 56 pages are liberally sprinkled with the same: "Asking this question on the mailing list or IRC will inevitably result in the verbal equivalent of being hit round the head with a baseball bat. The answer is NO."

    While I appreciate the sentiment of these statements, devoting nearly half of the document to this topic might be a little overboard.

  17. Summary of mentioned firewalls, and a question by Anonymous Coward · · Score: 5, Informative
    It looks like a lot of the Linux-based firewalls I've seen recommended here use ipchains with the 2.2 kernel instead of iptables with the 2.4 kernel. As far as I understand, this would mean they can't do connection tracking for things like FTP and IRC. Here's what I'm able to figure out so far...

    Firewalls using iptables with 2.4.x kernel:

    Firewalls using ipchains with 2.2.x kernel:

    Firewalls using ipfwadm with 2.0.x kernel:
    • Freesco: ipfwadm, 2.0.38 (!)
    • FWTK: Dunno, looks old, mentions ipfwadm

    My question is, isn't it best to use an iptables-based firewall on a 2.4.x kernel instead of an ipchains- or ipfwadm-based firewall on a 2.2.x or 2.0.x kernel? I definetely want the connection tracking capabilities in the 2.4.x kernel, especially for screwy things like FTP, IRC, etc. (Yes, I know there is an IRC connection tracking patch out now for 2.4 kernels...) Is a kernel that doesn't support connection tracking for firewalls a reasonable option these days?
    1. Re:Summary of mentioned firewalls, and a question by GlobalEcho · · Score: 4, Informative

      Linux firewalls and NAT routers were able to handle FTP and IRC at least as far back as the 2.0.x series kernels, using kernel modules that I assume basically forced state tracking on these types of connections. Other modules handle all the other major protocols like this (e.g. RealAudio).

      LEAF/LRP/Dachstein do so automatically. I assume most if not all of the others you cite do so as well.

      So, to answer your question, the answer is "no". Lack of support for connection tracking is indeed unacceptable. But 2.0.x and 2.2.x have tracking after all, at least where it matters.

  18. Re: Updating Smoothwall yourself? by King_TJ · · Score: 4, Interesting

    It's always interesting to see people so quick to attack an author of security-related software when they ask how to essentially "de-secure" the product!

    I mean, honestly, it's probably a little "over the top" to ban your IP over the question -- but looking at it from the author's side for a minute; You're basically trying to modify the package to suit your specific needs. If you do this, you run a risk of introducing new code that's untested as to the level of security inherent in it. If the author helps you do these modifications, and then your box gets hacked later, how do you think that reflects on his original product?

    Richard Morrell may have his share of attitude problems, but I don't think this is really a fair one to use against him. Firewalls are *not* supposed to run other services. People keep trying to add ftp, printing and Samba file sharing services to Smoothwall, among other things - and it's just a BAD idea.